Merge pull request 'Switch to headscale' (#11) from headscale into main

Reviewed-on: https://git.everest.tailscale/Toast/nix-stuff/pulls/11
2024-11-03 01:30:30 +01:00 · 2024-11-03 01:30:30 +01:00 · 3748aae1c5
commit 3748aae1c5
parent d18e059d1e 34e1dd0bfc
7 changed files with 64 additions and 54 deletions
--- a/roles/server/caddy.nix
+++ b/roles/server/caddy.nix
@ -23,7 +23,9 @@ in {
    extraConfig = ''
      (tailscale) {
        tls internal
-        bind 100.73.96.48
+        # Old tailscale IP
+        # bind 100.73.96.48
+        bind 100.100.0.1
      }
    '';
    virtualHosts = {
@ -45,10 +47,17 @@ in {
      };
    };
  };
-  services.dnsmasq.settings.cname = [
-    "${manualHostname},everest"
-    "${downloadsHostname},everest"
-  ];
+  services.headscale.settings.dns_config.extra_records = let
+    makeRecords = builtins.map (recordName: {
+      name = recordName;
+      type = "A";
+      value = "100.100.0.1";
+    });
+  in
+    makeRecords [
+      manualHostname
+      downloadsHostname
+    ];
  systemd = {
    services.caddy.after = ["tailscaled.service"];
    # We have somewhat frequent power outages, and our ISP router takes
@ -58,4 +67,5 @@ in {
    services.caddy.serviceConfig.RestartSec = lib.mkForce "120s";
  };
  programs.rust-motd.settings.service_status.Caddy = "caddy";
+  networking.firewall.allowedTCPPorts = [443 80];
 }
--- a/roles/server/default.nix
+++ b/roles/server/default.nix
@ -11,8 +11,8 @@
    ./ddclient.nix
    ./beep.nix
    ./tailscale.nix
+    ./headscale.nix
    ./caddy.nix
-    ./dns.nix
    ./rust_motd.nix
    ./minecraft.nix
  ];
--- a/roles/server/dns.nix
+++ b/roles/server/dns.nix
@ -1,42 +0,0 @@
-{...}: {
-  services.dnsmasq = {
-    enable = true;
-
-    # Only using this for tailscale IPs, so better to let tailscale itself deal with it
-    resolveLocalQueries = false;
-
-    settings = {
-      listen-address = ["100.73.96.48"];
-
-      /*
-      Dnsmasq tries to use the tailscale dns server, which is bad cause that points to dnsmasq
-      From the little testing I have done it seems to not cause any issues, but better to be safe
-      than sorry :P
-      */
-      dns-loop-detect = true;
-
-      host-record = [
-        "winmax2,winmax2.tailscale,100.106.73.20"
-        "everest,everest.tailscale,100.73.96.48"
-        "archie,archie.tailscale,100.113.139.93"
-        "steamdeck,steamdeck.tailscale,100.85.48.85"
-        "surfacego,surfacego.tailscale,100.96.92.13"
-      ];
-
-      # If this isn't set a cname that targets a host might return the wrong ip
-      localise-queries = true;
-      ## IPv6 is not a thing in Spain so I'm guaranteed to not use it
-      filter-AAAA = true;
-      domain = "tailscale";
-      domain-needed = true;
-    };
-  };
-
-  programs.rust-motd.settings.service_status.dnsmasq = "dnsmasq";
-
-  # Dnsmasq conflicts with the resolved dns stub listener
-  services.resolved.extraConfig = ''
-    [Resolve]
-    DNSStubListener=no
-  '';
-}
--- a/roles/server/forgejo.nix
+++ b/roles/server/forgejo.nix
@ -44,8 +44,14 @@ in {
    };
  };

-  # Add a cname for forgejo
-  services.dnsmasq.settings.cname = ["git.everest.tailscale,everest"];
+  # Add a record for forgejo
+  services.headscale.settings.dns_config.extra_records = [
+    {
+      name = "git.everest.tailscale";
+      type = "A";
+      value = "100.100.0.1";
+    }
+  ];

  # Set up caddy as the reverse proxy for Forgejo
  services.caddy.virtualHosts.forgejo = {
--- a/roles/server/headscale.nix
+++ b/roles/server/headscale.nix
@ -0,0 +1,24 @@
+{...}: {
+  services.headscale = {
+    enable = true;
+    settings = {
+      server_url = "https://headscale.toast003.xyz";
+      ip_prefixes = [
+        "100.100.0.0/16"
+      ];
+      dns_config = {
+        base_domain = "tailscale";
+        nameservers = ["9.9.9.9"];
+        override_local_dns = true;
+      };
+    };
+  };
+  services.caddy = {
+    virtualHosts.headscale = {
+      hostName = "headscale.toast003.xyz";
+      extraConfig = ''
+        reverse_proxy localhost:8080
+      '';
+    };
+  };
+}
--- a/roles/server/syncthing.nix
+++ b/roles/server/syncthing.nix
@ -39,8 +39,14 @@
    AmbientCapabilities = "CAP_CHOWN CAP_FOWNER";
  };

-  # Add a cname for syncthing
-  services.dnsmasq.settings.cname = ["sync.everest.tailscale,everest"];
+  # Add a record for syncthing
+  services.headscale.settings.dns_config.extra_records = [
+    {
+      name = "sync.everest.tailscale";
+      type = "A";
+      value = "100.100.0.1";
+    }
+  ];

  # Set up caddy as the reverse proxy for syncthing
  services.caddy.virtualHosts.syncthing = {
--- a/roles/server/transmission.nix
+++ b/roles/server/transmission.nix
@ -37,8 +37,14 @@ in {
    '';
  };

-  # Add a cname for transmission
-  services.dnsmasq.settings.cname = ["transmission.everest.tailscale,everest"];
+  # Add a record for transmission
+  services.headscale.settings.dns_config.extra_records = [
+    {
+      name = "transmission.everest.tailscale";
+      type = "A";
+      value = "100.100.0.1";
+    }
+  ];

  # Set up caddy as the reverse proxy for transmission
  services.caddy.virtualHosts.transmission = {